do son 
In a critical update to its Known Exploited Vulnerabilities (KEV) Catalog, the Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2024-20439 (CVSS 9.8), a high-severity static credential flaw affecting the Cisco Smart Licensing Utility (CSLU). This move follows confirmation of active exploitation in the wild and growing evidence that attackers are chaining multiple vulnerabilities to compromise exposed systems.
The Cisco Smart Licensing Utility is a Windows-based application designed to manage licenses for on-premise Cisco products without requiring a connection to Cisco’s Smart Software Manager (SSM) cloud. Though intended to simplify licensing workflows, CSLU introduces a high-value attack surface—especially when exposed to the internet and left unpatched.
At the main of the alert is a critical vulnerability that allows unauthenticated remote attackers to gain full administrative access using an undocumented, hardcoded credential embedded within the application.
This backdoor-like access grants control over CSLU’s API, opening the door to further abuse, configuration changes, and potential lateral movement into other parts of the network.
CVE-2024-20439 is dangerous on its own—but in combination with CVE-2024-20440, its impact becomes far more severe. CVE-2024-20440 is an information disclosure vulnerability that allows unauthenticated users to extract sensitive data, including API credentials, by sending crafted HTTP requests to CSLU endpoints. Attackers are already chaining the two flaws in real-world attacks to both access and abuse vulnerable systems.
“The two security vulnerabilities only impact systems running a vulnerable Cisco Smart Licensing Utility release, regardless of their software configuration,” Cisco explained.
Last month, Johannes Ullrich, Dean of Research at the SANS Technology Institute, reported that attackers were beginning to exploit both vulnerabilities in tandem, targeting internet-exposed CSLU instances.
“Details, including the backdoor credentials, were published in a blog… So it is no surprise that we are seeing some exploit activity,” Ullrich noted.
Although the end goals of these exploitation attempts remain unclear, researchers observed that the threat actor behind these incidents was also probing other vulnerabilities, including CVE-2024-0305, a separate information disclosure flaw affecting DVRs manufactured by Guangzhou Yingke Electronic.
Fortunately, these flaws only affect systems where the CSLU has been manually started, as it does not run in the background by default. Still, if launched—even once—on an internet-connected host, it can become a silent doorway for exploitation.
The vulnerability affects the following CSLU versions:
| Cisco Smart License Utility Release | First Fixed Release |
|---|---|
| 2.0.0 | Migrate to a fixed release. |
| 2.1.0 | Migrate to a fixed release. |
| 2.2.0 | Migrate to a fixed release. |
| 2.3.0 | Not vulnerable. |
Due to the verified active exploitation, CISA has mandated all Federal Civilian Executive Branch (FCEB) agencies to apply the necessary patches by April 21, 2025. Organizations outside the federal sector are strongly encouraged to follow suit.
